alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Successful Connect Packet Packet"; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:"|9a 02 08 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006396; sid:2006397; rev:1;) Added 2007-07-16 05:16:13 UTC Bot is using port 80 in an interesting way. Agent makes an outbound port 80 connection, sends a checkin, gets a command back of what IP and port to connect to. Then sends a connection successful type of packet, then streams whatever the controller sends trough the agent. Initial packet from the agent looks like so: 24 bytes 09 02 06 00 25 ab 3f ..... Agent replies with: 10 bytes 9a 02 07 00 xx xx xx xx 00 yy the x's are the IP to connect to, y being the port Agent then makes the connection and replies wth something like: 16 bytes 9a 02 08 00 00 00 ... The agent then started proxying the connection direct between controller. More info as I get it Matt -- MattJonkman - 16 Jul 2007
Topic revision: r2 - 2007-07-16 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats